A cryptographic hash function is an algorithm that takes an arbitrary amount of data input—a credential—and produces a fixed-size output of enciphered text called a hash value, or just “hash.” That enciphered text can then be stored instead of the password itself, and later used to verify the user.
Certain properties of cryptographic hash functions impact the security of password storage.
Cryptographic hashes take cleartext passwords and turn them into enciphered text for storage. Attackers who access your database are forced to decipher those hash values if they want to exploit them. In other words, hashes slow down attackers.
Simple cryptographic hashes can slow down attackers, but ultimately attackers will be able to overcome them.
There are variations that can improve your hash function and provide a greater barrier against attacks.
Salting adds random data to each plaintext credential. The result: two identical plaintext passwords are now differentiated in enciphered text form so that duplicates cannot be detected.
A keyed hash function (also known as a hash message authentication code, or HMAC) is an algorithm that uses a cryptographic key AND a cryptographic hash function to produce a message authentication code that is keyed and hashed.
An adaptive one-way function is any function that is designed to iterate on its inner workings, feeding the output back as input, in a manner that causes it to–ultimately–take longer to execute. It is adaptive because the developer can adjust how many iterations occur. To protect stored passwords, architects have applied the adaptive design to hash functions (such as PBKDF2) and to encryption schemes (such as bcrypt).
Cryptographic hash functions do provide barriers to attackers, like speed bumps slowing down a speeding motorcycle. But it’s critical to remember that eventually the motorcycle will still make it down the street. However, these barriers will slow down your defenders as well—normal users and your server. Set the speed bump too high, and you run the risk of annoying your user—and overtaxing your server.
But no matter how high you build your speed bump, an attacker WILL ultimately be able to overcome it. The ongoing challenge is to slow down attackers while balancing the needs and satisfaction of your users.
Get insights into the current state of security for web-based apps and systems, including the potential impact of security vulnerabilities on business operations in high-risk sectors.